Security Safeguards

A patient data platform you can have confidence in

Keeping patient health information secure is our highest priority.

Securing Redox

  • Our databases are 256 bit AES encrypted. Database filesystems are encrypted using AWS managed keys. Encrypted backups are taken nightly and stored in a separate geographic location.
  • Redox exceeds industry, HIPAA-compliant, and National Institute of Standards and Technology (NIST) recommended encryption standards to protect client data.
  • We’re hosted on Amazon Web Services (AWS) and have a business associate agreement (BAA) in place with Amazon.
  • The Redox API scales to balance traffic across available application instances. Our endpoints receive automatic security updates, and we force HTTPS at the endpoint layer.
  • We deploy code changes without any interruption to traffic as application code runs in Docker containers in the app layer.
  • Redox applications and databases are redundant across AWS Availability Zones (AZs), so if an outage occurs in one AZ, we failover with minimal interruption to traffic.
  • Application containers and our database reside in a private subnet, inaccessible from the outside internet. Access is restricted to the application and bastion layers.


SOC2 is an industry-standard, technology service provider report verifying compliance and controls pertaining to Security and Availability. “Type 2” indicates that this is a multi-month, over-time evaluation period for compliance.

The gold standard in health data security. Redox is HITRUST certified and meets the same high standards that the most secure organizations in the world have to meet.


Redox contracts a number of independent auditing:

We undergo multiple third-party penetration tests yearly, including manual penetration testing on our application as well as internal and external network penetration testing for our infrastructure to identify potential system vulnerabilities. This ensures any security issues are resolved before they have a chance to arise and that data is properly guarded. Code audits are performed regularly to scan our code base and find and address any security vulnerabilities. Intrusion detection is used to monitor all system-level events and escalate any incongruent activity, like a user promoting their privileges or modifying files.


Between an application and Redox, end-to-end encryption is done to secure all data transmitted over an HTTPS connection. Within the Redox application, we support modern industry OAuth and SAML standards to authenticate applications that send to Redox and to authenticate with applications that receive information from Redox.

We store sensitive credentials as salted and hashed values for an additional layer of security. Redox supports Two-Factor Authentication for all users accessing the Redox Engine Dashboard, and requires it for all personnel with customer support responsibilities to further protect access to PHI.


TCP traffic from Health Systems is encrypted via a secure VPN connection. We use an IPsec protocol to ensure all traffic within the VPN is encrypted and authenticated. The VPN is consistently monitored with a heartbeat to ensure the connection remains healthy.


Redox staff must comply with Redox’s acceptable-use policy prior to gaining access to any protected systems or data. This includes using strong passwords, encrypting their device, enabling multi-factor authentication on all applicable systems, undergoing security training appropriate to their role, running anti-malware endpoint protection, and running Redox’s device provisioning application.


Redox maintains detailed processes in the event of a downtime, ranging from a simple container failure to large-scale regional failure of our AWS host. These scenarios are reviewed and tested regularly for accuracy and training.

Redox also maintains a structured process for identifying, escalating, and responding to security incidents. This process includes guidelines for ensuring containment of at-risk data, controls for system stability and performance, and a notification process if customers are affected.

Want to Learn More?

Redox is committed to continually working on security enhancements as technology changes and our infrastructure evolves. If you have any questions about our security measures or technology, feel free to reach out to us. 

(Please do not send any PHI over email under any circumstance).